{"id":366,"date":"2025-11-17T17:25:22","date_gmt":"2025-11-17T17:25:22","guid":{"rendered":"https:\/\/sites.wp.odu.edu\/isaac-huston\/?page_id=366"},"modified":"2025-11-17T17:25:51","modified_gmt":"2025-11-17T17:25:51","slug":"nmap-scanning-procedures","status":"publish","type":"page","link":"https:\/\/sites.wp.odu.edu\/isaac-huston\/skills\/network-security-analysis\/nmap-scanning-procedures\/","title":{"rendered":"NMAP Scanning Procedures"},"content":{"rendered":"\n

Detailed record of scan commands, flag selection, and service enumeration steps. Shows how I translate network data into actionable insight.<\/p>\n\n\n\n

# Nmap Scanning Reference Guide\n\nThis guide covers common Nmap scanning techniques, options, and output features. It summarizes how to perform host discovery, port scanning, service detection, OS fingerprinting, stealth scanning, script execution, and report generation.\n\n---\n\n## 1. Host Discovery\n\nNmap can perform a **ping sweep** to identify active hosts on a network.\n\n**Command:**\n```bash\nnmap -sP <target-ip-or-range>\n````\n\n**Example (scan an entire subnet):**\n\n```bash\nnmap -sP 10.1.16.0\/24\n```\n\n---\n\n## 2. Port Scanning\n\n### Scan all ports\n\nBy default, Nmap scans only the top 1000 common ports. To scan every port:\n\n```bash\nnmap -p- <target>\n```\n\nEquivalent full-range form:\n\n```bash\nnmap -p 1-65535 <target>\n```\n\n**Example:**\n\n```bash\nnmap -p- 10.1.16.12\n```\n\n### Scan specific ports or ranges\n\n```bash\nnmap -p 80 <target>\nnmap -p 22,80,443 <target>\nnmap -p 1-200 <target>\n```\n\n---\n\n## 3. Service and OS Detection\n\nYou can combine multiple options to identify more information about a target.\n\n### Detect OS and service versions\n\n```bash\nnmap -sV -O <target>\n```\n\n**Example:**\n\n```bash\nnmap -p 80 -sV -O 10.1.16.12\n```\n\n---\n\n## 4. Scan Techniques\n\n### TCP Connect Scan\n\nUses the full TCP handshake.\n\n```bash\nnmap -sT 10.1.16.0\/24\n```\n\n### SYN Stealth Scan\n\nSends SYN packets without completing the handshake. Useful for quieter scans.\n\n```bash\nnmap -sS 10.1.16.0\/24\n```\n\n### UDP Scan\n\nHelps identify UDP services.\n\n```bash\nnmap -sU 10.1.16.1\n```\n\n### Disable host discovery\n\nUseful when hosts might block ICMP.\n\n```bash\nnmap -Pn 10.1.16.1\n```\n\n---\n\n## 5. Default Script and Advanced Scan\n\n### Default script scan\n\nRuns Nmap\u2019s built-in default scripts.\n\n```bash\nnmap -sC 10.1.16.1\n```\n\n### Aggressive scan\n\nPerforms OS detection, version detection, script execution, and traceroute.\n\n```bash\nnmap -A 10.1.16.1\n```\n\n---\n\n## 6. Timing Options\n\nFirewalls and IDS systems often detect fast or repetitive scans. Nmap supports timing templates to help reduce detection or speed up scanning as needed.\n\n| Option | Description |\n| ------ | ----------- |\n| -T0    | Paranoid    |\n| -T1    | Sneaky      |\n| -T2    | Polite      |\n| -T3    | Normal      |\n| -T4    | Aggressive  |\n| -T5    | Insane      |\n\n**Example:**\n\n```bash\nnmap -sS -T1 10.1.16.1\n```\n\nSlower scans help avoid detection.\n\n---\n\n## 7. Nmap Scripting Engine (NSE)\n\nNmap includes a powerful script engine used to detect vulnerabilities and gather additional information.\n\n### Run default scripts\n\n```bash\nnmap -sC <target>\n```\n\n### Run specific scripts\n\n```bash\nnmap --script=<script-name> <target>\n```\n\n### Banner grabbing\n\n```bash\nnmap --script=banner <target>\n```\n\n### Vulnerability scanning\n\n```bash\nnmap --script=vuln <target>\n```\n\n### Update the script database\n\n```bash\nnmap --script-updatedb\n```\n\n---\n\n## 8. Output Formatting\n\nNmap can output scan results in several formats:\n\n| Option | Format             |\n| ------ | ------------------ |\n| -oN    | Normal text output |\n| -oX    | XML output         |\n| -oG    | Grepable output    |\n\n### Example: output to XML\n\n```bash\nnmap -O 10.1.16.0\/24 -oX enum.xml\n```\n\n### Convert XML to HTML\n\nYou can convert an XML report into an HTML file for easier viewing using `xsltproc`.\n\n```bash\nxsltproc enum.xml -o enum.html\n```\n\n### View in browser\n\n```bash\nfirefox enum.html\n```\n\nFull example workflow:\n\n```bash\nnmap -O 10.1.16.0\/24 -oX enum.xml && xsltproc enum.xml -o enum.html\nfirefox enum.html\n```\n\n---\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Detailed record of scan commands, flag selection, and service enumeration steps. Shows how I translate network data into actionable insight.<\/p>\n","protected":false},"author":30346,"featured_media":0,"parent":324,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/366"}],"collection":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/users\/30346"}],"replies":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/comments?post=366"}],"version-history":[{"count":1,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/366\/revisions"}],"predecessor-version":[{"id":367,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/366\/revisions\/367"}],"up":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/324"}],"wp:attachment":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/media?parent=366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}